HotelHippo.com in ‘appalling’ data leak

Well-known hotel booking website Hotelhippo.com has been taken down after the discovery that it had been leaking customer data.

Information security consultant Scott Helme discovered the vulnerability and said he sent details to the firm on 25 June, but no action was taken until Tuesday.

Mr Helme, who described the breach as ‘appalling’, went on to say that repeated emails and phone calls to Hotelhippo.com’s owners, HotelStayUK, had been ignored.

However, managing director Chris Orrell said he was unaware of the issue.

“No-one’s passed on any information to me,” he said.

The ICO and the UK data privacy watchdog opened an investigation on Tuesday.

The vulnerability

Before being taken down, the website displayed messages and trust stamps stating that it was secure. However, Mr Helme said discovering the vulnerability was easy.

“I easily discovered a method of extracting the personal and sensitive data of thousands of customers that had used the site before me,” he said.

The vulnerability centred on the use of unique web addresses to pull up customer data.

When placing a booking, a unique five-figure number would appear in the address bar of the web browser.

By simply altering this number, any user could pull up details of previous bookings. Details available were:

  • Date
  • Location
  • Length of stay
  • Home address

The identified misconfiguration with the webserver puts hotelhippo.com in breach of the Payment Card Industry Data Security Standard (PCI DSS).

A simple program could be written which automatically extracts all the available data. Aside from the phishing possibilities thrown up by having so much personal information so readily available, just imagine the value of a database containing details of which home addresses would be vacant at what time, and for how long…